As of Boomla v0.3.0, you can embed 3rd party plugins into your pages, like Youtube videos, Google Maps, Disqus comments, Google Analytics, etc.
Our solution is both safe and simple.
To enable Youtube videos, you have to
.Trust(dot, uppercase!) into the file referencing the video,
Same goes for other services, just use different domains. If you need to reference more domains, just put them on new lines.
The rest of this document is only for tech savvy people.
What you are editing via the
.Trust file is the
HTTP header your website is returning in every request.
If you are familier with
Content-Security-Policy directives, you can specify
directive values more specifically. For example, to enable loading Bootstrap
from CDN, you could write
script-src maxcdn.bootstrapcdn.com; style-src maxcdn.bootstrapcdn.com.
While it’s nice to be more specific, it often means you have to do more research
on what a service needs, and you are going to enable everything it need anyway,
so what’s the benefit of the extra work?
For that reason, you can instead just write
maxcdn.bootstrapcdn.com and Boomla
will expand it for you with the proper syntax.
Note that you must commit your
.Trust file to take effect. Here is why. Assume
your website is compromised and a hacker succeeds in placing a malicious
script with a
.Trust file on your site. That script (virus) will not work so
long you haven’t approved it. When commiting, you will be prompted about any
additions to your
.Trust files. Thus, to hack your site, hackers will need
So, Boomla will only trust external vendors which are present in your latest
commit. Note that if you have multiple Youtube videos, you will not need to
commit every single
.Trust file. Having one commited is enough.
If you are writing or using a Boomla app that relies on 3rd party services, you
can add the
.Trust file centrally to your app, so you won’t need to enable
every single file of this file type. If you are to install the app, you will
also need to commit the
Note that Boomla is not using a central file to enable Content-Security-Policy directives. This is crucial, because this way you will not need to do extra adminstrative work when installing or uninstalling apps, or removing a content that was trusting a 3rd party service provider. The trust will be removed with the content or the app.
Note that the
Content-Security-Policy HTTP header will only be populated
.Trust files that are relevant to the response. This means any
files that were rendered on the page and any apps that were used for rendering